Snap install of certbot on ubuntu 22 - renew process


I have installed certbot tru snap on ubuntu 22 host, and everything works as expected. Thanks for making this happen.

Does it automatically renew with a default install? Or do I have to make any changes? I have googled for it, but there are many answers for many versions.

systemctl list-timers return:

Mon 2023-05-01 23:09:00 UTC 3h 25min left n/a                         n/a    snap.certbot.renew.timer       snap.certbot.renew.service

and under /etc/systemd/system there are snap.certbot.renew.service and snap.certbot.renew.timer

I also checked the crontab and related folders and found no reference to the renew command.

The contents of snap.certbot.renew.service are:

# Auto-generated, DO NOT EDIT
Description=Service for snap application certbot.renew
After=snap-certbot-2913.mount snapd.apparmor.service

ExecStart=/usr/bin/snap run --timer="00:00~24:00/2" certbot.renew


So I think it will autorenew, but we dont have a post hook to restart apache2.

Any ideas on how to accomplish this?

Best Regards,

The install setups up a timer as you see which runs certbot renew

And, that reviews and renews any certs based on their renewal config file. So, as long as you used a method that allows auto-renew it should be fine. Really, the only method that can't auto-renew is --manual without the special hooks. Or, if after you get the cert you change your system config like blocking port 80 even when using the HTTP Challenge.

You can test renewals with

sudo certbot renew --dry-run

The --dry-run will not disrupt any active certs.

If you want, show us the contents of the conf file in /etc/letsencrpyt/renewal too

Why do you think you need a post-hook


How to restart Apache2 ?
I'd reload it instead of restarting it.
If you use cron, try restarting it weekly, with:
systemctl reload apache2

Add a "deploy-hook" to certbot for that route.


If they are using --apache plug-in they don't even have to worry about reload as the plug-in will do that.

They haven't said anything about how the options used to get the cert.


I must assume that Apache2 is NOT being reloaded ...
Otherwise, the question would not exist.

But, true, nothing has been said about exactly how the cert is being renewed.


Who said it wasn't? The original question focused on the timer and wondered whether they had done enough so renew worked (not that renew ever failed).

We really just don't know enough yet.


If you used certbot --apache, then Apache will reload automatically.

If you didn't, you can tell Certbot to reload Apache after renewing your certificate by running:

sudo certbot reconfigure --cert-name --deploy-hook "systemctl reload apache2"

Is this your first run of certbot? I don't see your domain in the thread, so I cant tell if you have a history of certificates yet...

I am not an expert on the systemd timers (yet) But I am betting on the fact that your system hasn't had time to renew yet, so the timer output is not yet complete, or fully populated.
Guessing is not good.
My 2 cents.


Hello @_az:

I used "certbot certonly --apache" and then I manually changed apache configuration to use ../live/* files.

My certificates are brand new, so they are not expired yet. I just don't want to go tru certifiate hell when the time comes, so I was checking to see it will renew. I also tried certbot renew --dry-run and it runs without problems.

With the current configuration, it seems it will renew automatically, it seems snap.certbot.renew.timer checks when it is the right time, and then triggers snap.certbot.renew.service, but I found no mechanism inside snap.certbot.renew.serrvice to reload apache.

Notice that I used certonly to generate the certificates. I did run the reconfigure command as below, and got the following result:

root@:~# certbot reconfigure --cert-name --deploy-hook "systemctl reload apache2"
Saving debug log to /var/log/letsencrypt/letsencrypt.log

You are attempting to set a --deploy-hook. Would you like Certbot to run deploy
hooks when it performs a dry run with the new settings? This will run all
relevant deploy hooks, including directory hooks, unless --no-directory-hooks is
set. This will use the current active certificate, and not the temporary test
certificate acquired during the dry run.

(R)un deploy hooks/(D)o not run deploy hooks: R
Simulating renewal of an existing certificate for and 9 more domains

Successfully updated configuration.
Changes will apply when the certificate renews.


In /etc/letsencrypt/renewal/ there is a line: renew_hook = systemctl reload apache2

I think this should do it, but is there a sure way to test if it works?

Best Regards,

The reconfigure dry-run is a pretty reliable indication that it will work, unless the issue lies somewhere else that we haven’t considered.

I suggest setting a calendar reminder, one week before the certificate expires, to check manually that it has done the expected thing.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.